Cisco Support Community
Community Member

1720, NAT and Access-List

We have a 1720 with a WAN Interface, to the internet, We have NAT statements to map an external IP to an internal IP for access to services, email, www, etc..

I want to setup access-list to only open ports for the services needed. The way it is currently setup, is there is a one-to-one nat with all ports being mapped.

I entered a access-list statement like this: access-list 102 permit tcp ant host EXTERNALIP eq smtp. When I do a port scan, it still shows all the open ports. Am I doing something wrong? There is another WAN interface that connects to a remote site.


Re: 1720, NAT and Access-List

You can configure the translation from the inside IP address to the outside one only for the ports you need, for example:

ip nat inside source static tcp 25 25

for the mail server.

This way the only ports visible from the internet are the ones you configure.

CreatePlease to create content